Skip to content
Snippets Groups Projects
Select Git revision
  • 05d1d43c4f1f56e7f3430d89745e0b1d0c8eef27
  • master default
  • method_check
  • custom_prefix
  • package
  • cookies
  • v2.1.1
  • v2.1.0
  • v2.1.0-rc5
  • v2.1.0-rc4
  • v2.1.0-rc3
  • v2.1.0-rc2
  • v2.1.0-rc1
  • v2.0.7
  • v2.0.6
  • v2.0.5
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1
  • v2.0.0
  • v1.2.8
  • v1.2.7
  • v1.2.6
  • v1.2.5
  • v1.2.4
26 results

session.go

Blame
    • user avatar
    - adding the ability to change the access and refresh cookies (#58)
    Rohith authored 
    - adding the ability to control the secure flag of the cookie
- adding the ability to inject custom claims from the access token into the authenticated headers
- updating the readme to reflect the changes
- changed the claims option to match-claims
- changed the upstream config option to upstream-url, same as command line line
- changed the config options for keepalive, keepalive -> upstream-keepalives, same as command line
- added the headers command line option as it was missing
- updated the example config_sample.yml
- adding additional unit tests where i could
    05d1d43c
    History
    user avatar 05d1d43c
    History
    session.go 2.65 KiB 
    /*
Copyright 2015 All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package main

import (
	"strings"

	log "github.com/Sirupsen/logrus"
	"github.com/coreos/go-oidc/jose"
	"github.com/gin-gonic/gin"
)

//
// getIdentity retrieves the user identity from a request, either from a session cookie or a bearer token
//
func (r oauthProxy) getIdentity(cx *gin.Context) (*userContext, error) {
	// step: check for a bearer token or cookie with jwt token
	isBearer := false
	token, err := r.getAccessTokenFromCookie(cx)
	if err != nil {
		if err != ErrSessionNotFound {
			return nil, err
		}
		// step: else attempt to grab token from the bearer token]
		token, err = r.getTokenFromBearer(cx)
		if err != nil {
			return nil, err
		}
		isBearer = true
	}

	// step: parse the access token and extract the user identity
	user, err := extractIdentity(token)
	if err != nil {
		return nil, err
	}
	user.bearerToken = isBearer

	// step: add some logging
	log.WithFields(log.Fields{
		"id":    user.id,
		"name":  user.name,
		"email": user.email,
		"roles": strings.Join(user.roles, ","),
	}).Debugf("found the user identity: %s in the request", user.email)

	return user, nil
}

//
// getTokenFromBearer attempt to retrieve token from bearer token
//
func (r oauthProxy) getTokenFromBearer(cx *gin.Context) (jose.JWT, error) {
	auth := cx.Request.Header.Get(authorizationHeader)
	if auth == "" {
		return jose.JWT{}, ErrSessionNotFound
	}
    
	items := strings.Split(auth, " ")
	if len(items) != 2 {
		return jose.JWT{}, ErrInvalidSession
	}

	return jose.ParseJWT(items[1])
}

//
// getAccessTokenFromCookie attempt to grab access token from cookie
//
func (r oauthProxy) getAccessTokenFromCookie(cx *gin.Context) (jose.JWT, error) {
	cookie := findCookie(r.config.CookieAccessName, cx.Request.Cookies())
	if cookie == nil {
		return jose.JWT{}, ErrSessionNotFound
	}

	return jose.ParseJWT(cookie.Value)
}

//
// getRefreshTokenFromCookie returns the refresh token from the cookie if any
//
func (r oauthProxy) getRefreshTokenFromCookie(cx *gin.Context) (string, error) {
	cookie := findCookie(r.config.CookieRefreshName, cx.Request.Cookies())
	if cookie == nil {
		return "", ErrSessionNotFound
	}

	return cookie.Value, nil
}